How to identify security vulnerabilities in your network

In part one of our CRE cybersecurity series we discussed the perceived risks associated with IoT and how it’s often thought to lead to compromised cybersecurity. The unfortunate reality is that disconnected buildings are often just as vulnerable to cyberattacks as their connected counterparts, as older buildings can contain units that are internet-active and unencrypted, all without the facilities management (FM) team’s knowledge. In addition, an older BMS can expose your portfolio to information leaks and cyberattacks if not updated to protect against the latest malware.

Identifying the holes in your cybersecurity

If you’re not sure how vulnerable your organization is to cyberattacks, the first step should be to execute a comprehensive site audit, including the building network, BMS, all sub-systems, and any IoT devices. Log all previous contractors that have had maintenance contracts and ensure you consistently capture the software they use and how they gain external access to your buildings. Unfortunately, it’s not uncommon for critical systems to be commissioned and deployed from contractor laptops with no handover or internal back up of those files. The audit should therefore include the manufacturer, model, firmware versions, points of external access, usernames, passwords and the locations of all system configuration files.

What is a Data Commissioning Report?

A comprehensive audit should conclude with a Data Commissioning Report, evaluating the performance of each connected device and sensor. A Data Commissioning Report provides a list of issues that need to be resolved by a controls or network vendor, as well as a summary of the building systems capable of being integrated into a smart building platform. Some common issues highlighted by a Data Commissioning Report include:

  • Disconnected or inconsistent connectivity of building systems
  • Systems not commissioned as directed
  • Poorly named points and/or tagging schemas
  • Inconsistent sensor polling counts
  • Erroneous sensor readings
  • Data points not responding to BACnet commands
  • Network outages resulting in entire sections of the building not reporting data

While cybersecurity risks are typically hidden in the underlying IT and OT systems, this report should complement your cybersecurity audit, providing a comprehensive list of your sensors, highlighting which are disconnected, miscalibrated or broken.

Creating a foundation for your smart building journey

Completing a site audit will create a foundation for your cybersecurity strategy and further investment into a scalable smart building program. Contrary to what the headlines lead us to believe, embracing IoT technology is key to improving cybersecurity, when implemented correctly. Having discovered your portfolio’s cybersecurity weaknesses, you’ll then need to address them – find out how in part 3 of our CRE cybersecurity series.

For the latest technology and CRE cybersecurity news and tips, sign up for Switch Automation’s e-newsletter.

Sign up